File Identification in iOS

Michael Ogata

michael.ogata@nist.gov

Questions:

• Can the NSRL method of file identification be

used to identify files on a device running iOS?

• Once identified, can applications be

automatically classified by their behavior?

Presentation Overview

• Applying the NSRL methodology to iOS – Brief anatomy of iOS file system

– Brief anatomy of iOS applications

– File identification on an iPhone

• Methods for describing application functionality – Manifest files

– Examining application binaries

• Benefits / Future Work

Anatomy of the iOS File System

NAND Storage

System Partition

OS Files Factory Installed

Applications

/private/var

User Data and Applications

Anatomy of an iOS Application

Application Zip File (ipa)

iTunesArtwork iTunesMetadata.plist Payload

Application files and resources

Info.plist

iPhone File Identification

• Application corpus of 91 applications

– 49,403 files

– 43,462 unique files

• File sets extracted from 1st generation iPhone

– Set 1: No applications (used as baseline)

– Set 2: One application synced to phone

– Set 3: 33 (all compatible) corpus applications synced to phone

Uniqueness of Files

173

477

151

446

0

100

200

300

400

500

600

iPhone No Applications ( Set 1 ) iPhone with Amazon.app ( Set 2 )

# of Files # of Unique Files

Uniqueness of Files in Set 3

20030

17095

0

2500

5000

7500

10000

12500

15000

17500

20000

iPhone with 33 Applications( set 3 )

File Unique

File Identification in Set 2

138 119

296 289

43 38

0

100

200

300

400

500

600

# Files in Set 2 # Unique Files in Set 2

Overlap with Set 1 Overlap with Amazon.app Unidentified Files

File Identification in Set 3

149 118

19799

16487

380

726

0

5000

10000

15000

20000

25000

# Files in Set 3 # Unique Files in Set 3

Overlap with Set 1 Overlap with Corpus Unidentified Files

98.8 % 96.4 %

Describing Application Functionality

• Info.plist

• Examining application binary files

Info.plist

Info.plist

• Dictionary of key-value pairs

– UIDeviceFamily / MinimumOSVersion

– UIRequiresPersistantWifi

– UIBackgroundModes

• Describes how the application functions when backgrounded

*http://developer.apple.com/library/ios/#documentation/General/Reference/InfoPlistKeyReference/Articles/iPhoneOSKeys.html

Info.plist Continued…

– UIRequiredDeviceCapabilities

• Specifies hardware requirements: – GPS and location services

– Accelerometer

– Front or rear facing cameras

– Bluetooth

– SMS

• Requirements not declared are still permitted

Examining Application Binary Files

• String Search of binary files

• Apple Developer Libraries embedded in plain text

• Identified 70 unique library names

Notable Observed Libraries

Library Name # Times Observed

CoreLocation.framework/CoreLocation 69

libsqlite3.dylib 65

AddressBook.framework/AddressBook 53

CoreTelephony.framework/CoreTelephony 44

GameKit.framework/GameKit 33

Twitter.framework/Twitter 15

ExternalAccessory.framework/ExternalAccessory

2

Frequencies of Observed Libraries

0

10

20

30

40

50

60

70

80

90

100

/usr

/lib

/lib

Syst

em.B

.dyl

ib

/usr

/lib

/lib

ob

jc.A

.dyl

ib

/Sys

tem

/Lib

rary

/Fra

mew

ork

s/U

IKit

.f…

/usr

/lib

/lib

gcc_

s.1.

dyl

ib

/Sys

tem

/Lib

rary

/Fra

mew

ork

s/Q

uar

t…

/Sys

tem

/Lib

rary

/Fra

mew

ork

s/A

ud

io…

/Sys

tem

/Lib

rary

/Fra

mew

ork

s/M

edi

a…

/Sys

tem

/Lib

rary

/Fra

mew

ork

s/C

FNet

…

/Sys

tem

/Lib

rary

/Fra

mew

ork

s/C

ore

L…

/usr

/lib

/lib

std

c++.

6.d

ylib

/Sys

tem

/Lib

rary

/Fra

mew

ork

s/O

pen

…

/Sys

tem

/Lib

rary

/Fra

mew

ork

s/Se

curi

…

/Sys

tem

/Lib

rary

/Fra

me

wo

rks/

Co

reT…

/usr

/lib

/lib

xml2

.2.d

ylib

/Sys

tem

/Lib

rary

/Fra

mew

ork

s/A

dd

re…

/Sys

tem

/Lib

rary

/Fra

mew

ork

s/G

ame…

/Sys

tem

/Lib

rary

/Fra

me

wo

rks/

Eve

nt…

/Sys

tem

/Lib

rary

/Fra

me

wo

rks/

Co

reT…

/Sys

tem

/Lib

rary

/Fra

mew

ork

s/Tw

itt…

/usr

/lib

/lib

icu

core

.A.d

ylib

/usr

/lib

/lib

ico

nv.

2.d

ylib

/Sys

tem

/Lib

rary

/Fra

mew

ork

s/A

sset

s…

/Sys

tem

/Lib

rary

/Fra

mew

ork

s/Im

age…

/Sys

tem

/Lib

rary

/Fra

mew

ork

s/A

ccel

…

/Sys

tem

/Lib

rary

/Fra

mew

ork

s/Ex

ter…

/usr

/lib

/sys

tem

/lib

lau

nch

.dyl

ib

/usr

/lib

/sys

tem

/lib

cop

yfile

.dyl

ib

/usr

/lib

/sys

tem

/lib

syst

em

_sa

nd

bo

x.…

/usr

/lib

/sys

tem

/lib

rem

ove

file

.dyl

ib

/usr

/lib

/sys

tem

/lib

xpc.

dylib

/usr

/lib

/sys

tem

/lib

dis

pat

ch.d

ylib

/usr

/lib

/sys

tem

/lib

com

pile

r_rt

.dyl

ib

/usr

/lib

/sys

tem

/lib

keym

gr.d

ylib

/Sys

tem

/Lib

rary

/Fra

mew

ork

s/C

ore

I…

/usr

/lib

/sys

tem

/lib

mac

ho

.dyl

ib

Potential Benefits

• Augment the RDS

• Identify files on iOS devices

• Build iOS application behavior profiles

• Build iOS device capability profiles

Future Work

• Incorporate iOS application acquisition into NSRL acquisition chain ✓

• Build iOS Library Data Dictionary

• Build DFXML iOS data set

• Determine applicability to iPhone backup files

– File fragments and fuzzy hashing

• Determine applicability to iCloud

• Expanding into the Android platform

Acknowledgements

• Zdziarski, J. (2003). iPhone Forensics. Sebastopol, CA: O’Reilly Media Inc.